forked from TrueCloudLab/frostfs-node
afeebd310c
Owner of the request is stored in session token most of the times. Put request contains session token in the object body, so we have to fetch it from there. Signed-off-by: Alex Vanin <alexey@nspcc.ru>
199 lines
4.6 KiB
Go
199 lines
4.6 KiB
Go
package acl
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/ecdsa"
|
|
|
|
"github.com/nspcc-dev/neofs-api-go/pkg"
|
|
acl "github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
|
|
"github.com/nspcc-dev/neofs-api-go/pkg/container"
|
|
"github.com/nspcc-dev/neofs-api-go/pkg/netmap"
|
|
"github.com/nspcc-dev/neofs-api-go/pkg/owner"
|
|
"github.com/nspcc-dev/neofs-api-go/v2/session"
|
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
|
core "github.com/nspcc-dev/neofs-node/pkg/core/netmap"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
type (
|
|
InnerRingFetcher interface {
|
|
InnerRingKeys() ([][]byte, error)
|
|
}
|
|
|
|
metaWithToken struct {
|
|
vheader *session.RequestVerificationHeader
|
|
token *session.SessionToken
|
|
}
|
|
|
|
SenderClassifier struct {
|
|
innerRing InnerRingFetcher
|
|
netmap core.Source
|
|
}
|
|
)
|
|
|
|
// fixme: update classifier constructor
|
|
func NewSenderClassifier(ir InnerRingFetcher, nm core.Source) SenderClassifier {
|
|
return SenderClassifier{
|
|
innerRing: ir,
|
|
netmap: nm,
|
|
}
|
|
}
|
|
|
|
func (c SenderClassifier) Classify(
|
|
req metaWithToken,
|
|
cid *container.ID,
|
|
cnr *container.Container) acl.Role {
|
|
|
|
if cid == nil {
|
|
// log there
|
|
return acl.RoleUnknown
|
|
}
|
|
|
|
ownerID, ownerKey, err := requestOwner(req)
|
|
if err != nil || ownerID == nil || ownerKey == nil {
|
|
// log there
|
|
return acl.RoleUnknown
|
|
}
|
|
|
|
// todo: get owner from neofs.id if present
|
|
|
|
// if request owner is the same as container owner, return RoleUser
|
|
if bytes.Equal(cnr.GetOwnerID().GetValue(), ownerID.ToV2().GetValue()) {
|
|
return acl.RoleUser
|
|
}
|
|
|
|
ownerKeyInBytes := crypto.MarshalPublicKey(ownerKey)
|
|
|
|
isInnerRingNode, err := c.isInnerRingKey(ownerKeyInBytes)
|
|
if err != nil {
|
|
// log there
|
|
return acl.RoleUnknown
|
|
} else if isInnerRingNode {
|
|
return acl.RoleSystem
|
|
}
|
|
|
|
isContainerNode, err := c.isContainerKey(ownerKeyInBytes, cid.ToV2().GetValue(), cnr)
|
|
if err != nil {
|
|
// log there
|
|
return acl.RoleUnknown
|
|
} else if isContainerNode {
|
|
return acl.RoleSystem
|
|
}
|
|
|
|
// if none of above, return RoleOthers
|
|
return acl.RoleOthers
|
|
}
|
|
|
|
func requestOwner(req metaWithToken) (*owner.ID, *ecdsa.PublicKey, error) {
|
|
if req.vheader == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil verification header")
|
|
}
|
|
|
|
// if session token is presented, use it as truth source
|
|
if req.token != nil {
|
|
body := req.token.GetBody()
|
|
if body == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at session token body")
|
|
}
|
|
|
|
signature := req.token.GetSignature()
|
|
if signature == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at signature")
|
|
}
|
|
|
|
return owner.NewIDFromV2(body.GetOwnerID()), crypto.UnmarshalPublicKey(signature.GetKey()), nil
|
|
}
|
|
|
|
// otherwise get original body signature
|
|
bodySignature := originalBodySignature(req.vheader)
|
|
if bodySignature == nil {
|
|
return nil, nil, errors.Wrap(ErrMalformedRequest, "nil at body signature")
|
|
}
|
|
|
|
key := crypto.UnmarshalPublicKey(bodySignature.GetKey())
|
|
neo3wallet, err := owner.NEO3WalletFromPublicKey(key)
|
|
if err != nil {
|
|
return nil, nil, errors.Wrap(err, "can't create neo3 wallet")
|
|
}
|
|
|
|
// form user from public key
|
|
user := new(owner.ID)
|
|
user.SetNeo3Wallet(neo3wallet)
|
|
|
|
return user, key, nil
|
|
}
|
|
|
|
func originalBodySignature(v *session.RequestVerificationHeader) *pkg.Signature {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
|
|
for v.GetOrigin() != nil {
|
|
v = v.GetOrigin()
|
|
}
|
|
|
|
return pkg.NewSignatureFromV2(v.GetBodySignature())
|
|
}
|
|
|
|
func (c SenderClassifier) isInnerRingKey(owner []byte) (bool, error) {
|
|
innerRingKeys, err := c.innerRing.InnerRingKeys()
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
// if request owner key in the inner ring list, return RoleSystem
|
|
for i := range innerRingKeys {
|
|
if bytes.Equal(innerRingKeys[i], owner) {
|
|
return true, nil
|
|
}
|
|
}
|
|
|
|
return false, nil
|
|
}
|
|
|
|
func (c SenderClassifier) isContainerKey(
|
|
owner, cid []byte,
|
|
cnr *container.Container) (bool, error) {
|
|
|
|
// first check current netmap
|
|
nm, err := core.GetLatestNetworkMap(c.netmap)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
in, err := lookupKeyInContainer(nm, owner, cid, cnr)
|
|
if err != nil {
|
|
return false, err
|
|
} else if in {
|
|
return true, nil
|
|
}
|
|
|
|
// then check previous netmap, this can happen in-between epoch change
|
|
// when node migrates data from last epoch container
|
|
nm, err = core.GetPreviousNetworkMap(c.netmap)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return lookupKeyInContainer(nm, owner, cid, cnr)
|
|
}
|
|
|
|
func lookupKeyInContainer(
|
|
nm *netmap.Netmap,
|
|
owner, cid []byte,
|
|
cnr *container.Container) (bool, error) {
|
|
|
|
cnrNodes, err := nm.GetContainerNodes(cnr.GetPlacementPolicy(), cid)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
flatCnrNodes := cnrNodes.Flatten() // we need single array to iterate on
|
|
for i := range flatCnrNodes {
|
|
if bytes.Equal(flatCnrNodes[i].InfoV2.GetPublicKey(), owner) {
|
|
return true, nil
|
|
}
|
|
}
|
|
|
|
return false, nil
|
|
}
|